Main
   Info About You
   Past Problems
      Usage
      Accuracy
      Access
      Profiling
   Current Trends
      Who Has Access?
      Technologies
      Use of Information
   Future Policy
      Statistics
      Case Studies
      IITF Policy
      Recommendations
   Relevant Links
   Bibliography
   About the authors
|
|
The following case studies, obtained from the Electronic Frontier Foundation's website,
illustrate some of the privacy issues we are currently discussing:
- On a local university network, users can read USENET news stories- stories posted on the
USENET bulletin boards by users from across the world. The stories range from discussions
of technical material about computer operating systems, to highly controversial political
discussions, or to discussions about sexuality. Imagine now that network users can use a
simple command to list all other users logged onto the system at that time, as well as what
those users are doing. If the users are reading news stories from the USENET new server, then
the command will report to the users what news stories they are reading.
- An activist group is angry about pornography on the net. It decides to attack the problem in
a somewhat unique way. It opens up an erotic web site, and then as individuals access the web
site, the group collects the information about who accessed the site. On a separate web site
the group then publishes a list: "Known consumers of pornography" and then lists the information
it has about people who have accessed its site. Or imagine the same case, with slightly different
facts: Imagine the activist group is an anti-gay activist group, and it puts up a web site on
resources for gay and lesbians, and then publishes the lists of who accesses the site. Or an
anti-abortion group, that publishes information about access to abortion clinics.
- Some World Wide Web browsers collect a list of the web sites that you have accessed. This list is
kept on your machine. When you access a web site, the software makes it possible for the web site
to read the list of web sites that you have previously accessed. Imagine that a web site has
implemented a procedure to read your list of web sites, and then decides whether to admit you
based on what other places you've been. (In a sense, the system is discriminating in granting
access, but what is important for our purposes is that it is making that discrimination by accessing
"your" information about where you have been.) For example, if it determines that you don't frequent
sufficiently "posh" places, it bumps you; or if it surmises from your list that you are a Republican,
it bumps you.
- As we explained in case (1), USENET is a cooperative that distributes messages in the form of
discussion threads, on wide range of topics, to millions of people across the world. People can
participate in these discussions, simply by replying to a particular message. This reply then
gets published across the world, with the email address of the person replying to the message
attached to the reply. Ordinarily, these messages disappear after a few weeks on the net. But
imagine a company starts collecting these messages, and begins organizing them in a data bank.
This company then makes it possible for anyone, through the Web, to search the database of
USENET messages, for a particular word, or phrase, or for the name of a particular user. This
search then collects all messages that have that word, or phrase, or name, and displays the
list of messages, along with their senders. The user of this service can then click on the name
of the senders, and get a profile of all the messages that person has sent. For example the user
can discover that the sender of a particular messages has regularly contributed to a discussion
of leftist politics, or a pro-life discussion group, and then access all of the messages this
sender has sent to these groups.
Under current laws, none of the above situations would be considered illegal, though most consumers would
consider any of them to be a gross invasion of privacy. All of the cases are easily implemented with current
technology, indeed at www.dejanews.com, case 4 is already a reality. Any
user can visit this site, and in a matter of minutes find that I am an avid fan of pro-wrestling, men's basketball,
and cricket. Maybe this isn't such a big problem for me, but if instead I had been searching usenet for bondage pictures,
or posted to one of the gay support newsgroups, I might not be so comfortable allowing the general public to find out.
In cases 2 & 4, individuals would have provided this data themselves, for example by posting
to a newsgroup using their true email address (case 4), it would obviously not be for these purposes.
The law does very little to protect users when it comes to information they themselves make available.
Corporations are allowed to disseminate data they collect as they see fit -- a recent (slightly more humourous)
case occured in Asia a few years ago, where Time Magazine, Asia and Saab traded their customer databases for
advertising purposes, resulting in hundreds of cars (NOT car owners) being invited to subscribe to Time. (
South China Morning Post Online).
The lack of legislation to protect against such violations of privacy, since the high cost of obtaining
information about a person made it a very rare occurence. However, as with most issues regarding
the Internet, maikng data available online is a completely different issue, as it is virtually impossible to guarantee
controls on access. If Playboy magazine decided to give their subsriber rolls to America Online for the purposes of
advertising, it is far removed from if Playboy decided to publish their entire list of subscribers online, even though
subscribers have willingly provided this information to the magazine. Cases 1 & 3 are even more serious, because
users are often not aware, and are never informed, that they could be providing information about their internet usage to
third parties.
The fact that practices such as those outlined above are not protected against underlines how
important it is for guidelines to be created and enforced on data privacy.
| |